New Class Of CPU Flaws Affect Almost Every Intel Processor Since 2011

Academic researchers today disclosed details of the newest class of speculative execution side-channel vulnerabilities in Intel processors that impacts all modern chips, including the chips used in Apple devices.

Now, a team of security researchers from multiple universities and security firms has discovered different but more dangerous speculative execution side-channel vulnerabilities in Intel CPUs. The newly discovered flaws could allow attackers to directly steal user-level, as well as system-level secrets from CPU buffers, including user keys, passwords, and disk encryption keys.

Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.

"The new vulnerabilities can be used by motivated hackers to leak privileged information data from an area of the memory that hardware safeguards deem off-limits. It can be weaponized in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system," BitDefender told The Hacker New.

CVE-2019-11091—Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.

The Fallout attack is a new transient execution attack that could allow unprivileged user processes to steal information from a previously unexplored microarchitectural component called Store Buffers.

The attack can be used to read data that the operating system recently wrote and also helps to figure out the memory position of the operating system that could be exploited with other attacks.

In their proof-of-concept attack, researchers showed how Fallout could be used to break Kernel Address Space Layout Randomization (KASLR), and leak sensitive data written to memory by the operating system kernel.

ZombieLoad attack affects a wide range of desktops, laptops, and cloud computers with Intel processor generations released from 2011 onwards. It can be used to read data that is recently accessed or accessed in parallel on the same processor core.

The ZombieLoad attack does not only work on personal computers to leak information from other applications and the operating system but can also be exploited on virtual machines running in the cloud with common hardware.

"ZombieLoad is furthermore not limited to native code execution, but also works across virtualization boundaries. Hence, virtual machines can attack not only the hypervisor but also different virtual machines running on a sibling logical core," researchers explain.

"We conclude that disabling hyperthreading, in addition to flushing several microarchitectural states during context switches, is the only possible workaround to prevent this extremely powerful attack."

Researchers even made available a tool for Windows and Linux users to test their systems against RIDL and Fallout attacks as well as other speculative execution flaws.

Academics have discovered the MDS vulnerabilities from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle.

Multiple researchers independently reported Intel of the MSD vulnerabilities starting June 2018, but the Chip giant had asked all the researchers to keep their findings secret, some for more than a year, until the company could come out with fixes for the vulnerabilities.

Intel has now released Microcode Updates (MCU) updates to fix the MDS vulnerabilities in both hardware and software by clearing all data from buffers whenever the CPU crosses a security boundary so that the data can't be leaked or stolen.

Every operating system, virtualization vendor, and other software makers are highly recommended to implement the patch as soon as possible.

AMD and ARM chips are not vulnerable to the MDS attacks, and Intel says that some models of its chip already include hardware mitigations against this flaw.

Apple says it released a fix to address the vulnerability in the macOS Mojave 10.14.5 and Safari updates that were released yesterday.

Microsoft has also released software updates to help mitigate the MDS vulnerabilities. In some cases, the company says installing the updates will have a performance impact.